post-demo-automation
Pass
Audited by Gen Agent Trust Hub on Jul 4, 2026
Risk Level: SAFEPROMPT_INJECTIONNO_CODE
Full Analysis
- [PROMPT_INJECTION]: The skill ingests untrusted data from external platforms (Clari call recordings and HubSpot records) to automatically generate email drafts and calendar events. This workflow is vulnerable to indirect prompt injection if instructions are embedded within the recorded conversation or CRM data fields.
- Ingestion points: External data enters the agent context via
clari_get_call_summaryandhubspot_get_dealtools as specified in Stage 1 of the workflow. - Boundary markers: There are no explicit instructions or delimiters used to separate external data from system instructions or to warn the agent to ignore instructions embedded in the ingested content.
- Capability inventory: The skill has access to tools for creating email drafts (
gmail_create_draft), scheduling calendar events (create_event), and querying CRM data. - Sanitization: The risk is mitigated by a required manual review process ("all outputs are drafts; you customize tone and timing") outlined in the 'Quick Start' and 'Execution Checklist' sections of the SKILL.md file.
- [NO_CODE]: The skill is implemented as a prompt-based extension containing only natural language instructions and configuration. It does not contain executable scripts (Python, Node.js) or binaries, which significantly reduces the technical attack surface for typical code-based exploits.
Audit Metadata